Google to delete old Chrome Incognito data

Martin Shelton

Principal Researcher

Illustration by the Electronic Frontier Foundation. (CC BY 2.0)

It’s the Digital Security Training team at Freedom of the Press Foundation (FPF), with security news that keeps you, your sources, and your devices safe. If someone has shared this newsletter with you, please subscribe here.

In the news

Following a class-action lawsuit over Google’s handling of user data in its Chrome browser’s “Incognito” private browsing mode, the search company will expunge “billions of event-level data records that reflect class members’ private browsing activities” improperly collected before January 2024. It also updated its Incognito landing page to highlight that even Google can discern your activities in private browsing mode. Additionally, the company will be required to delete data that makes users’ private browsing data personally identifiable, such as IP addresses. Read more.

What you can do

  • I used to conduct privacy and security research for Chrome, so let me tell you, there is a lot of publicly available research on private browsing. Prior research suggests many people overestimate the privacy protections of the private browsing mode in all major browsers. That’s why you should read about what private browsing mode does and doesn’t do. When using private browsing, you are only deleting browsing history on your device, so this really only helps you if your concern is someone else picking up your computer and looking at the browsing history. As soon as you connect to a website, that website has a record of your visit. All code running on those websites — including code from Google, such as Google Analytics — can still track your browsing mode in Incognito mode.

  • If your concern, instead, is that your internet service provider, or even the websites you connect to, can determine your location or see your IP address, you might actually want to consider a virtual private network. A VPN encrypts and tunnels your web traffic through a remote server before you connect to the web, so you may appear to be connecting from somewhere remote — perhaps even another country. But because the VPN provider gets to see all of your traffic, you really need to trust it. Don’t use a free VPN, because it might make its money selling your traffic data. Read our guide to choosing a reputable VPN. Note that even a VPN doesn’t make you invisible — it just moves the traffic to somewhere else, where it may still be surveilled by anyone who can capture it.

Updates from our team

  • We made some updates to the slides and activities in our U.S. Journalism School Digital Security Curriculum in response to recent changes to Signal. Those changes allow people to connect with usernames instead of phone numbers. If you or someone in your orbit are interested in security education for J-schools, check it out here.

Our team is always ready to assist journalists with digital security concerns. Reach out here, and stay safe and secure out there.



Donate to support press freedom

Your support is more important than ever.

Read more about Digital Security Digest

Crossfire over messaging security

Johns Hopkins cryptography professor Matthew Green explains that “the cryptography behind Signal (also used in WhatsApp and several other messengers) is open source and has been intensively reviewed by cryptographers. When it comes to cryptography, this is pretty much the gold standard.” By comparison, Telegram does not provide end-to-end encryption protection by default and only offers it as an option in one-on-one “Secret Chat” mode.

Google Docs locks out writer

While it’s powerful and convenient, Google Docs might not be right for all documents, including those that you consider sensitive, private, or that you can’t risk losing. Read more about newsroom privacy and security considerations when using Google Workspace.

Google details app violations

According to its security blog, Google prevented 2.28 million — yes, million — Android apps from being published on its Play Store in 2023. The company says it also removed 333,000 accounts for attempting to deliver malware through the Play Store, as well as for “repeated severe policy violations.” These numbers have grown substantially since 2022, when the company disclosed it prevented 1.43 million apps from being published on the Play Store.